If you need to find out all the sub-domains of a given domain name, you can try AXFR request.
This hint works only if the NS that you are querying is configured to allow AXFR requests.
Not all name servers allow AXFR protocol queries. Most of them return “Transfer failed”.
The first thing that you have to do, is to find out the AUTHORITY NAME SERVER(s) for the required DOMAIN NAME e.g zonetransfer.me:
$ dig zonetransfer.me
Look under the AUTHORITY SECTION:
;; AUTHORITY SECTION: zonetransfer.me. 7122 IN NS ns16.zoneedit.com. zonetransfer.me. 7122 IN NS ns12.zoneedit.com.
In this case zonetransfer.me has 2 name servers: ns12.zoneedit.com and ns16.zoneedit.com.
Now you can query one of these servers for the sub-domains of zonetransfer.me:
$ dig @ns12.zoneedit.com zonetransfer.me AXFR
Here is the result:
; <<>> DiG 9.9.2-P1 <<>> @ns12.zoneedit.com zonetransfer.me AXFR ; (1 server found) ;; global options: +cmd *** zonetransfer.me. 7200 IN NS ns16.zoneedit.com. zonetransfer.me. 7200 IN NS ns12.zoneedit.com. zonetransfer.me. 7200 IN A 217.147.180.162 zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM. ***